Ransomware as a Service Princess Evolution Looking for Affiliates

We have been observing a malvertising campaign via Rig exploit kit delivering a cryptocurrency-mining malware and the GandCrab ransomware since July 25. On August 1, we found Rig’s traffic stream dropping a then-unknown ransomware. Delving into this seemingly new ransomware, we checked its ransom payment page in the Tor network and saw it was called Princess Evolution (detected by Trend Micro as RANSOM_PRINCESSLOCKER.B), and was actually a new version of the Princess Locker ransomware that emerged in 2016. Based on its recent advertisement in underground forums, it appears that its operators are peddling Princess Evolution as a ransomware as a service (RaaS) and are looking for affiliates.

The new malvertising campaign we observed since July 25 is notable in that the malvertisements included Coinhive (COINMINER_MALXMR.TIDBF). Even if users aren’t diverted to the exploit kit and infected with the ransomware, the cybercriminals can still earn illicit profit through cryptocurrency mining. Another characteristic of this new campaign is that they hosted their malvertisement page on a free web hosting service and used domain name system canonical name (DNS CNAME) to map their advertisement domain on a malicious webpage on the service.

Figure 1. The Princess Evolution’s logo on its payment site

Figure 2. Traffic of the malvertisement delivering Princess Evolution via Rig exploit kit (top), and the domain name system (DNS) response of the malvertisement’s domain (bottom)

Trailing Princess Evolution
Princess Evolution has the same ransom note as Princess Locker’s. Princess Evolution encrypts files on the system and changes their original file extension to a randomly generated string of characters. It drops a ransom note that contains instructions on where and how to pay the ransom of 0.12 bitcoin (equivalent to US$773 as of August 8, 2018).

We found that Princess Locker’s developers made a post in underground forums on July 31 advertising an affiliate program for their newly created Princess Evolution. Under its business model, the affiliates get 60 percent of the ransom payment, and the rest are the malware authors’ commissions. And based on their advertisement, it seems the operators took the time to develop Princess Evolution.

Translated in English:Good summer day, friends! Few months ago we had to suspend our activities to review our stance/situation on many aspects and to start a journey to perfection. It was a period of observations, developments, experiments, long waits and arguments. The loom of perfection always slips away in an ecstasy of chasing it. This is a gist of progress, with which we are happy to return and greet you with the new version of our product. ** Princess Evolution **

Technical analysis
Its encryption routine involves scrambling the file’s first chunk of data using both XOR and AES algorithms, while it uses AES to encrypt the rest of the file’s data. A significant change we saw on Princess Evolution from Princess Locker is the shift from using hypertext transfer protocol (HTTP) POST to user datagram protocol (UDP) for command-and-control (C&C) communication. The change is likely due to the faster way that UDP transmits and sends data, as it has less overhead (e.g., no need to establish a connection before sending data).

Princess Evolution generates a random XOR key (0x80 bytes) and another in AES-128 algorithm, and sends these keys, along with the following information, to the network range 167[.]114[.]195[.]0/23[:]6901 via UDP:

Username of the infected computer

Name of the active network interface

The system’s Locale ID (LCID)

Version of operating system (OS)

Victim ID

Security software registered with Windows

Timestamp of when the program was started

Princess Evolution’s approach to its C&C communication is similar to Cerber’s. It’s also worth noting that Princess Locker’s payment website resembled Cerber’s. Princess Evolution’s payment page now sports a new design.

Exploit kits are a reminder to users and businesses on the significance of patching. Ransomware may have plateaued (and even declined in some regions), but it is still a significant threat given its destructive nature. Follow best practices: think before clicking, keep systems and their applications patched (or consider virtual patching for corporate environments and legacy systems and networks), and implement defense in depth.

A proactive, multilayered approach to security is key against threats that exploit vulnerabilities — from the gateway, endpoints, networks, and servers. Trend Micro™ OfficeScan™ with XGen™ endpoint security has Vulnerability Protection that shields endpoints from identified and unknown vulnerability exploits before patches are even deployed. Trend Micro’s endpoint solutions such as Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security protect end users and businesses from these threats by detecting and blocking malicious files and all related malicious URLs.

Security Predictions for 2019

Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.Read our security predictions for 2019.

Business Process Compromise

Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more,
read our Security 101: Business Process Compromise.